Hi Uri,
>> I want access to the guest consoles, which means spice connections to
>> the host. But I want those connections secured either by TLS or SSH.
>> So far can get only plain insecure spice connections from a windows
>> workstation to the kvm host.
>
> You should be able to use secure ports both on Linux and on Windows.
Yes, I managed to to that using the correct URL syntax, something like
spice://kvmhost?tls-port=5901
Setting up tls on the kvm host is not easy. It would be very nice of
remote-viewer for windows was able to setup ssh tunnels.
I am also worried about authentication using spice+tls. Any user, from
any machine, can connect to the spice+tl port. But using an ssh tunnel
means each user needs his own ssh password or key.
> This can be done by specifying the secure channels either on the
> spice-server side (qemu-kvm -spice command line option), or on a the
> client side (with spice-gtk >= 0.20). If you only provide a
> secure-port (and no insecure port), all channels are secured.
The problem is, virt-manager and virsh allways configure an insecure
port. Either it is fixed, or it is auto, but never disabled. I had to
block the insecure ports on the host using iptables, else virt-viewer
and virt-manager never use the tls port. Looks like this is a libvirt
fault, not qemu.
But on remote-viewer, using the correct URL syntax opens connections
using the tls port even if the insecure one is not blocked.
[]s, Fernando Lozano